0x01 background
During Ubuntu system maintenance, the history command is often used.
However, considering the misoperations and accountability of colleagues and the clues after intrusion, the default history command in Ubuntu is difficult to meet our needs.
After some research, we found that the/etc/profile file can be modified to meet the requirements to a certain extent.
0x02 requirements
The following effects can be achieved when you execute the history command:
(1) display the command execution time
(2) display the user name for executing the command
(3) display the source IP address of the user executing the command
(4) User A can conveniently view User B's historical records
0x03 configuration implementation
To meet the first two requirements in section 2, you only need to simply configure the/etc/profile file, that is, append the following content at the end of the/etc/profile file:
export HISTTIMEFORMAT="%F %T `whoami` "
To implement the third requirement, you must first use the following command to obtain the logon Source IP Address:
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`if [ "$USER_IP" = "" ]thenUSER_IP=`hostname`
Then, in the export histtimeformat, write user_ip as the parameter to histtimeformat, that is:
export HISTTIMEFORMAT="%F %T $USER_IP:`whoami` "
To meet the fourth requirement, You need to modify the storage location of historical records. By default, historical records are stored in the user directory. bash_history (full path:/home/user name /. bash_history) file. Therefore, to access user B's history records, user a must first escalate himself to the root permission. Otherwise, the Home Directory of user B cannot be opened, even if user A has the root permission, if the system has 10 users, you need to enter 10 different folders to view. bash_history file to find all historical records.
For convenience, you can use the histfile environment variables to centralize the history records of all users in a directory and distinguish their respective history files by user names:
export HISTFILE="/opt/history/${LOGNAME}"
Based on the above tips, we can easily get the following script:
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`if [ "$USER_IP" = "" ]thenUSER_IP=`hostname`fiif [ ! -d /opt/history ]thenmkdir /opt/historychmod 777 /opt/historyfiif [ ! -d /opt/history/${LOGNAME} ]thenmkdir /opt/history/${LOGNAME}chmod 300 /opt/history/${LOGNAME}fiexport HISTSIZE=4096export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S] "export HISTFILE="/opt/history/${LOGNAME}.history"chmod 600 /opt/history/*history* 2>/dev/null
Append the above Code to the end of the/etc/profile file, and then log out and log on again. The display format and storage file of history have changed.
0x04 summary and analysis
The second requirement is actually redundant. It is common sense for a user to execute history to display only their own historical records. If history is executed, you can print the execution records of other users. Although the User Name field is used to differentiate them, it is quite troublesome to differentiate them at a glance, by using histfile, the stored files of all users' historical records are stored in one directory, which allows the Administrator to conveniently view all user commands without affecting the running effect of each user.
At this point, with the final integrated configuration in the third section, the system maintenance personnel can provide great management traversal, but there is still a small flaw:
The history storage file stores Command records for historical operations, but the time, user name, and IP address are not explicit. The content format is as follows:
#1359020553ifconfig#1359020554ls#1359020559cat /etc/profile
Obviously #1359020559 is the execution time of the CAT/etc/profile, although the system can accurately identify and format the data as easy-to-use and output, however, the content stored in the file is inconvenient for manual reading, and the user name and logon Source IP address in the file that records the command execution (it may be recorded in other files, however, it is not clear how the history command locates the user name and logon source IP address for executing a command ).